Re: P3P/IE6 and cookies from Rigo Wenning on 2001-05-15 (www-p3p-policy@w3.org from May 2001)

From: Rigo Wenning <rigo@w3.org>
Date: Tue, 15 May 2001 18:40:16 +0200
To: Neil Durrant <info@affiliatemarketing.co.uk>
Cc: www-p3p-policy <www-p3p-policy@w3.org>
Message-ID: <20010515184015.E1155@w3.org>
On Mon, May 14, 2001 at 02:57:22PM -0400, Neil Durrant wrote:
> Hi,
> 
> I wonder if anyone on this list can offer a little assistance?

That's what this list and www-p3p-dev@w3.org are for. Please see
also the archives[0].
> 
> I'm trying to get to grips with IE6 implementation of The Platform for
> Privacy Preferences Project and it's handling of cookies.
> 
> I've spent ages looking through relevant documentation and keep coming up
> with conflicting data or information that I'm unsure can be deemed as 100%
> reliable but..

From all I heard, IE6 implements the compact policies as defined
by the P3P Specification[1]. So it should be clear, what IE6
does. If IE6 is behaving differently, it would be great, if you
would report this back to the this list (or www-p3p-dev@w3.org).

> 
> I believe IE6 is compliant with The Platform for Privacy Preferences
> Project (P3P) - http://www.w3.org/P3P/

As said, the privacy features claim to be an implementation of
the compact policies. 
> 
> The most worrying comment I have seen is that -
> 
> "If a site doesn't put up a compliant privacy policy at the site,
> P3P complaint browsers (such as IE6) will automatically refuse
> cookies from them unless the surfer changes the default settings for
> IE6 - an unlikely proposition."
> 
> Unsure if this statement is 100% accurate and I really needed to ascertain
> if this is the case?

I think, they refer to the safe-zone behaviour as described in
the P3P Specification. If a P3P-Client does not find a P3P-Policy
or if there is a mismatch to the preferences, the client should
remain in the "safe-zone" - state and not send out unnecessary
data. (e.g. referer, cookies etc)

What you are concerned about are the default preferences. The P3P
Specification requires, that a user agent has to openly document
a mecanism to import preferences (or use APPEL-Language[2]).

I assume from your mailaddress, you're asking yourself
the question from a UK-perspective. The UK has implemented the
European Data Protection Directive. If you follow those rules and
express them in the compact policies, I would be surprised to
find a cookie blocked. 

Perhaps, you should contact your data protection authority to
help you implementing P3P on your site.

If you look for further information on how to implement P3P
compact policies on your Web-Server, please have a look at the
Server Implementation Guide[3] written by Martin Presler-Marshal
from IBM.

To write a policy, it might help you to use the P3P Policy
Editor[4]

Best, 


Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
+33 (0)6 73 84 87 31    F-06902 Sophia Antipolis
http://www.w3.org/

> 
> Can anyone throw anymore light on this?
> 
> Neil Durrant
> www.AffiliateMarketing.co.uk

  0. http://lists.w3.org/Archives/Public/www-p3p-policy/
  1. http://www.w3.org/TR/P3P/#compact_policies
  2. http://www.w3.org/TR/P3P-preferences
  3. http://www.w3.org/TR/p3pdeployment
  4. http://www.alphaworks.ibm.com/tech/p3peditor
Received on Tuesday, 15 May 2001 12:43:29 UTC